How to Set Up Single Sign-On (SSO) for External AWS Accounts

AWS SSO

Introduction: Enabling Single Sign-On (SSO) for external AWS accounts is an essential step to streamline access management and enhance security. This guide will walk you through the process of integrating an external AWS account into your SSO portal, enabling users to access multiple AWS accounts with a single set of credentials.

Step 1: Enabling AWS SSO Access

1. Access your AWS account and navigate to the AWS SSO service.
2. Initiate the setup process by clicking on “Enable SSO.”

Step 2: Adding an External AWS Account

1. In the right-side navigation bar, click on “Applications.”
2. Browse the available applications or use the search feature to find “AWS” and select “External AWS Account.”

Step 3: Configuring the External Account

1. Provide a descriptive name for the external AWS account; this name will be visible in the SSO portal.
2. Download the IAM Identity Center metadata file, which will be used to configure the target AWS account.
3. Confirm your settings by clicking on “Submit” at the end of the page.

Step 4: Creating a New Role in the Targeted AWS Account

1. Log in to the targeted AWS account using your IAM credentials.
2. Navigate to the IAM service and click on “Roles” in the navigation bar.
3. Click on “Create Role.”
4. Select “SAML 2.0 federation” and upload the downloaded metadata from the source account (SSO Account).
5. Define the access permissions for the role, such as allowing programmatic and AWS Management Console access.
6. Proceed to add any desired permissions to the role.
7. Provide a meaningful name and description for the role, then click on “Create Role.”

Step 5: Copying the Role ARN and Identity Provider

1. After creating the role, copy the Role ARN and save it to a notepad or secure location for future use.
2. Copy your Identity Provider which you have created while creating ROLE.

Step 6: Configuring Attribute Mapping for the External Application

1. Return to the source account or SSO account and go to the AWS SSO service.
2. Click on “Applications” and select the external application you previously created.
3. On the left-side panel, choose “Edit Attribute Mapping.”
4. Add a new attribute mapping with the following values:

• User attribute in the application = https://aws.amazon.com/SAML/Attributes/Role
• Maps to this string value or user attribute in IAM Identity Center (Use the copied ARN for the Role) = arn:aws:iam::EXTERNALACCOUNTID:saml-provider/IDENTITYPROVIDERNAME,arn:aws:iam::EXTERNALACCOUNTID:role/NEWROLENAME

1. Save the attribute mapping changes to ensure proper communication between the SSO portal and the external AWS account.

Step 8: Creating Users and Groups

1. Access the “AWS SSO” service in your AWS account.
2. Click on “Users” in the left-side navigation pane and then select “Add user.”
3. Provide the user’s details, including their name and email address.
4. Optionally, create groups to manage permissions efficiently and assign users to these groups.
5. Invite the user via email, and they will receive an invitation to set up their password and log in to the SSO portal.

Step 9: Assigning Users or Groups to the External Application

1. Access the external application from the AWS SSO service.
2. Assign the previously created users or groups to the application.
3. Users will now inherit the permissions associated with the role created in the targeted AWS account.

Step 10: Accessing the AWS SSO Portal

1. To access the AWS SSO portal, go to the following link: https://<your_aws_account_alias>.awsapps.com/start
2. Else you can get the link from SSO Dashboard.
3. Log in using your AWS account credentials.

Conclusion: By enabling SSO for external AWS accounts, you empower users to effortlessly access multiple AWS accounts with a single set of credentials. This centralized approach enhances security, simplifies access management, and provides a seamless experience for users across different AWS environments. By following these steps, you can easily integrate external AWS accounts into your SSO portal and efficiently manage your AWS infrastructure. Accessing the SSO portal is quick and straightforward, giving users a centralized hub for managing their access to various AWS resources.

If you have any doubts or queries then do let me know in the comment. I am here to help you out.